In AS6 the meaning of <role-name>*</role-name> was determined by the allRolesMode property of the JBossWebRealm which was configured in jbossweb.sar/server.xml and set to authOnly (= Allow any authenticated user) by default.

In AS7 the default of allRolesMode seems to be strict (= Use the strict servlet spec interpretation which requires that the user have one of the web-app/security-role/role-name).

I found no trace of JBossWebRealm in standalone.xml so i wonder if (and how) it is possible to configure the allRolesMode property in AS7 to restore the previous behavior.

I'm heavily interested in the possibillity to configure the allRolesMode since we've got multiple applications that are affected and our role names are'nt static. Our role names contain a version suffix since multiple versions of an application may be in production at the same time and the roles assigned to a user may differ for each version. Assigning a "strict" role would require us to change the role with each release which seems a repetitive and error-prone task for multiple applications.

Should i create a feature request in Jira or could you contact the JBoss Web team directly?